Mobile privacy: lots of Big Brothers, little clarity

What do you call software that collects and sends information about you to its developers, advertisers, and others? On a desktop, we’re likely to name it spyware.

But on a cell phone, tablet, or other mobile device we call it an app — never realizing that it might be operating much like spyware.

As difficult as the issues surrounding privacy on a desktop computer can be, they’re virtually child’s play compared to the issues that arise with mobile devices — which, at the very least, must identify themselves to gain access to public Wi-Fi or cellular networks. Cellular devices do this through a unique identification number attached to every voice call or data request — an ID that networks store as long as your device is turned on, whether it’s in use or not.

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

The closest equivalents in the desktop space are tracking cookies, which we have the freedom to delete. “With mobile device identifiers, there’s no ability to delete or opt out,” says Ashkan Soltani, an online privacy consultant who recently testified (PDF file) about mobile privacy issues before the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law.

These unique identifiers give service providers — and many others — a powerful tool for tracking and recording your whereabouts. And although that history may be attached only to a number (not necessarily your name or other personal identification), Soltani said, a good researcher might be able to figure out your identity by cross-checking frequently visited locations — homes and workplaces, for example — against information in other databases. This information might then be used to send highly targeted marketing pitches, or it could be used for far more undesirable purposes. How services use mobile devices to track you You’ve probably seen those cop shows where suspects are tracked down by their cell’s proximity to cellular towers (or through GPS data on GPS-equipped devices). But geolocation technology doesn’t stop there. In his testimony, Soltani identified two additional means of pinpointing a mobile device’s whereabouts — both of which depend on databases maintained by little-known entities that also store information transmitted by the device.

The first relies on location providers — services that use sophisticated databases to correlate cell-tower, GPS, Wi-Fi–hotspot, and IP-address information with physical locations. By querying these services, mobile devices can determine their own whereabouts faster and/or more accurately than if they had to rely on GPS and cellular triangulation. Although this can improve and speed up location-based services (such as finding the nearest coffee shop), it also allows the location providers to track and record a mobile device’s current location at any given moment.

Not surprisingly, the developers of mobile-device operating systems — Apple, Google, Microsoft, and their competitors — are the most prominent location providers. Operating systems installed on their devices are frequently querying provider databases. That information is maintained on the device, but it’s also kept on the companies’ servers — and sometimes elsewhere, as we all learned recently. News reports disclosed that the iPhone operating system had been caching up to a year’s worth of geolocation data (including time stamps) in an insecure file, which was copied to the user’s computer when the phone was synched with iTunes.

Apple stated that it collected the information only to help improve location-based services. But it also released an iOS update that reduces the amount of data retained, stops the iTunes copy, and deletes the file completely when users opt out of location-based services. (The fix doesn’t apply to older 2G and 3G iPhones.)

Mobile devices typically let you opt out of location-based services, but Soltani questions whether consumers are all that well informed. Also, by default, mobile devices often collect location data anyway — even if their users never authorized any installed app to use it. You have to turn off location support at the device level.

The second geolocation tool, Soltani said, uses a location provider he calls location aggregators. Aggregators get geolocation information directly from wireless carriers; they don’t need an app running on your phone (with location-services enabled) to track your whereabouts. These services typically sell their data to third parties, who can in turn cross-reference it against other databases for a variety of marketing uses. How data is shared among data services So who gets all this location information, and what can they do with it? Apple, Google, and Microsoft all say that they anonymize the data they collect; in other words, they strip out any personal-identification information. (In the wake of the Apple iOS brouhaha, Microsoft patched Windows Phones to stop sending unique identifiers to their geolocation servers.) Moreover, their data servers are typically well secured, so the chances of personal information leaking into the wrong hands are probably small.

With your permission, the mobile OSes might also allow third-party, location-based services such as Foursquare (track your friends) and Yelp (find a good restaurant or spa nearby) access to your location data. You grant the app permission to access geolocation services provided by the phone’s OS when you install it. These apps typically make money from advertising, and geolocation information helps them deliver targeted ads.

Google and Apple also use UDID-related behavioral tracking to deliver targeted ads through their ad networks (AdSense and AdMob with Google, iAd for Apple). But they allow users to opt out of the tracking; you still get ads, but they won’t be as personalized. Moreover, Android and iOS devices will still provide the data to other ad networks that don’t offer these privacy options.

On iOS and Android phones, you can turn off AdSense and AdMob behavior tracking in Google app’s settings. (For example, on iOS devices, look for Ad Preferences and work through the various screens.) To disable Apple’s iAd behavior tracking on iOS 4 devices, type http://oo.apple.com in Safari’s address window. You should get a notification that you’ve successfully opted out.

What might surprise you, however, is that apps you don’t usually associate with locations — mobile browsers, screen savers, and even games — sell geolocation information to advertisers. Most ask you specifically for your consent to collect the data, but in some cases you might not realize you’ve given consent because it was buried deep in a lengthy license agreement.

Also, Soltani points out, some apps access more than just geolocation info; some tap into your address book, browser history, and other data. And most of these apps don’t allow you to opt out of any data services they want: if you don’t grant them permission to do so, you often can’t run the app at all. Safeguards differ among mobile platforms Apple and Google, the largest mobile-platform creators, take very different approaches to policing the privacy practices of app developers to prevent them from misusing your personal data by, for example, passing it along to third parties without your consent.

To get into the iTunes App Store, an application must be approved by Apple, which suggests that some scrutiny has gone into the application developer’s work. To the extent that this keeps the sleaziest developers out of the iPhone ecosystem, this is good news. But, Soltani points out, Apple also has a vested interest in helping applications make money because it typically gets a piece of the action. This practice sets up a conflict-of-interest situation: it might not always be in Apple’s economic interests to rigorously police how an app makes money.

The same issue appears to exist with Microsoft’s Windows Phone 7 series. You can acquire apps only through the Windows Phone Marketplace, which holds developers to guidelines that include privacy safeguards. (However, the upcoming update to the OS, code-named Mango, will reportedly allow developers to privately distribute applications via e-mailed links.) Microsoft also takes a cut of any ad revenue developers obtain from the ads they place in apps using Microsoft’s SDK.

Google’s Android, in contrast, is an open system. Anyone can write and market an Android app without any vetting by Google. So you’re on your own — you must do your own investigation into what an app does with your data.

As usual, technology has moved far faster than federal and state regulations. Privacy threats to mobile data are so new that the laws needed to protect consumers are still being written. And it’s far from clear whether existing laws governing privacy of phone calls (which regulate carriers) apply to mobile data, says Soltani.

Ultimately, privacy protection may depend on both legislation and technology. “You want guidelines to outline the principles, and you want technology to deliver those guidelines,” Soltani says. In the meantime, concerned consumers should at least stay informed about how their mobile device platforms and applications deal with their information.

Remember that, in addition to all the mobile-privacy issues just mentioned, mobile browsers have the same potential privacy vulnerabilities as their desktop counterparts. You may, for example, want to clear your cookie cache from time to time.

Apple’s gated-community approach probably keeps the worst offenders out; but to be fully informed, you have to take the tedious step of scrutinizing license agreements for details about how your data will be used. Pay particular attention to any clauses that relate to sharing of data with third parties.

You can also check which apps are using your location data by going into the Location Services section of the settings, which lists them all. It’s here that you can turn off location services completely for the iPhone or iPad. Similarly, Windows Phone 7 settings also include switches for both OS and application location–based services. (Note that you’ll find some location switches under generic settings — that is, you must look for Web searches as opposed to the name of the application.) But as with the iPhone OS, it behooves you to read license agreements carefully, perhaps simply scanning for a clause on location or other data services.

Google does nothing to police applications. The Android OS does clearly alert you to the permissions an app is requesting, making its activities more transparent.

As for the apps themselves, the larger and more reputable the application developer, the more likely it is to have a privacy policy and the means to enforce it (secure servers, for example). If you run an application from an obscure developer in a country beyond the reach of U.S. or E.U. laws, you have little recourse if it uses your data in ways you never authorized.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.

WS contributing editor Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor of PC World magazine from 1996 to 2009.

About Yardena Arar

Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor at PC World magazine from 1996 to 2009, and is now a PC World contributing editor.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.